SurfinGuard, a product of Finjan Software, automatically flags any downloaded executable for inclusion in a sandbox. When an executable in the sandbox tries to run SurfinGuard can block execution completely; monitor execution for attempts to access the registry, file system or network, and make calls to other executables; or prompt for action. Visual Basic scripts and .exe files are caught and flagged, but executables downloaded within an archive (.zip or suchlike) will be missed. The user can manually add other executables to the sandbox.

URL: http://www.finjan.com/surfinguard/

SurfinGuard runs on Windows 95/98/NT. A Windows 2000 version is advertised for later this summer (Summer 2000).

Pros

• SurfinGuard is fully automated.
• SurfinGuard may detect and defeat malicious logic that has not yet been identified and added to a threat list, providing what the developers call "First-strike security."

• While it is freeware, SurfinGuard is not open source, and relies on proprietary technology.
• Since it isn't open source, it is difficult to judge how reliable SurfinGuard's heuristic approach really is. It did successfully detect the ILOVEYOU worm when tested by the reviewer.
• The tool is called "SurfinGuard," making it difficult to research with a straight face.

Axes:
Static vs. Dynamic: Dynamic
Library vs. Instrumenting: Library
Testing vs. Production: Production
Opaque vs. Clear: Opaque
List vs. Heuristic: Heuristic
Conservative vs. Liberal: Liberal (Except for the setting that blocks execution of any .exe received from the network.)
Concurrent vs. Single Program: Single
Alert vs. Fix: Alert

Evaluated by Homer Briggs on 8/24/2000